Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tests: check for DAC override capability instead of using geteuid() #94315

Closed
tiran opened this issue Jun 27, 2022 · 1 comment
Closed

Tests: check for DAC override capability instead of using geteuid() #94315

tiran opened this issue Jun 27, 2022 · 1 comment
Labels
3.11 only security fixes 3.12 only security fixes tests Tests in the Lib/test dir type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Jun 27, 2022

Feature or enhancement

Several tests use os.geteuid() == 0 to check whether the current effective user can override discretionary access control and bypass permission checks for files. While user root typically has CAP_DAC_OVERRIDE, it may not actually have the capability. Non-root accounts can have CAP_DAC_OVERRIDE, too. On wasm32-emscripten it is not possible to query the actual effective uid.

I propose to add a check for DAC override instead of relying on effective uid check.
@tiran tiran added type-feature A feature request or enhancement type-bug An unexpected behavior, bug, or error tests Tests in the Lib/test dir 3.11 only security fixes 3.12 only security fixes and removed type-feature A feature request or enhancement labels Jun 27, 2022
@bedevere-bot bedevere-bot mentioned this issue Jun 27, 2022
Merged
tiran added a commit to tiran/cpython that referenced this issue Jun 27, 2022
@tiran
pythongh-94315: Check for DAC override capability
de8f91e 
``os.geteuid() == 0`` is not a reliable check whether the current user
has the capability to bypass permission checks. Tests now probe for DAC
override.
tiran added a commit that referenced this issue Jun 27, 2022
@tiran
gh-94315: Check for DAC override capability (GH-94316)
7e0d98e 
``os.geteuid() == 0`` is not a reliable check whether the current user
has the capability to bypass permission checks. Tests now probe for DAC
override.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 27, 2022
@tiran @miss-islington
pythongh-94315: Check for DAC override capability (pythonGH-94316)
50f56e9 
``os.geteuid() == 0`` is not a reliable check whether the current user
has the capability to bypass permission checks. Tests now probe for DAC
override.
(cherry picked from commit 7e0d98e)

Co-authored-by: Christian Heimes <christian@python.org>
@bedevere-bot bedevere-bot mentioned this issue Jun 27, 2022
Merged
miss-islington added a commit that referenced this issue Jun 27, 2022
@miss-islington @tiran
gh-94315: Check for DAC override capability (GH-94316)
5751530 
``os.geteuid() == 0`` is not a reliable check whether the current user
has the capability to bypass permission checks. Tests now probe for DAC
override.
(cherry picked from commit 7e0d98e)

Co-authored-by: Christian Heimes <christian@python.org>
@hauntsaninja
Copy link
Contributor

Thanks, looks like this has been completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.11 only security fixes 3.12 only security fixes tests Tests in the Lib/test dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tiran @hauntsaninja